AWS: Security Group to allow access internet-facing Load balancer to be accessed from private instances

Question

My question is an extended version of this.

In my case the security group has to restrict the access to Load Balancer 1. It has to have some white listed IPs. So, which IPs can I put here that can allow access of Load Balancer 1 from Auto Scaling Group 2 private instances?

I have tried putting the Elastic IP of NAT Gateway as a whitelisted IP and it works. I want to understand why it is absolutely necessary to put this IP in Security Group to access the internet-facing ALB from the private subnet instance of the same VPC.

Answer 1

I have tried putting the Elastic IP of NAT Gateway as a whitelisted IP and it works. I want to understand why it is absolutely necessary to put this IP in Security Group to access the internet-facing ALB from the private subnet instance of the same VPC.

Because the instances in the private subnet look up the DNS of the public load balancer, resolve it to its public internet IP, and then attempt to connect to that IP, which gets routed through the NAT gateway.

As far as I know there is no way to have a public Elastic Load Balancer that can also be resolved to a private IP inside your VPC. So you will have to go through the NAT gateway to access the public load balancer from inside your private IP.

An alternative setup would be to create a third load balancer, that is private, that also points to the instances in Auto-Scale Group #1, and have your private subnet instances communicate with that load balancer.

If you go with the third load balancer approach, you would create a new target group, assign that group as to your existing auto-scaling group, and point the new load balancer to the new target group. The key point is that a target group can only be used by one Application Load Balancer, but instances can belong to multiple target groups and auto-scaling groups can have multiple target groups.